Gallus, yet another PDF analyzer (alpha)

Introducing Gallus

Gallus is a web-based malware detection service specifically to extract and analyze suspected malicious PDF documents. It is a free service designed to help security researchers and public to detect exploits and extract other useful information contained in PDF documents.

How Gallus Works

Gallus is designed to extract and analyze the malicious components resides inside PDF documents. If the component exist, it will gone through a series of analysis to collect further malicious element that might exist.

Extracting and parsing

Usually, a malicious PDF document uses JavaScript code to trigger the vulnerability(s) and to execute the payload. By detecting and parsing the embedded JavaScript code, we are able to determine the maliciousness of the PDF document.

Analysis

After the detected code is parsed, a series of analyses will be conducted to obtain the shellcode used for payload and also the vulnerability(s) that’ll be exploited. Most of the malicious PDF document will use obfuscation techniques to bypass the analysis process. To encounter such techniques, Gallus uses Spidermonkey to interpret the obfuscated code plus other deobfuscation modules.

Exploit

From the malicious JavaScript code, we can determine the vulnerability(s) used. To name some of the exploit that usually used inside malicious PDF documents are:

Shellcode

Gallus is able to detect and extract shellcode inside malicious PDF document. From the shellcode obtained, we are able to determine the behaviour of the shellcode by using shellcode analyzer. In a usual cases, we might also found potential malware URL used in URLDownloadToFile payload.